Personal Data Processing Policy

1. Information About the Company Responsible for Personal Data Processing
1.1. The purpose of this Personal Data Processing Policy (hereinafter referred to as the "Policy") is to inform you about how PMU Shop Georgia LLC (I/N 405831792) (hereinafter referred to as the "Company" or "We") processes your personal data. 
1.2. The Company is a legal entity established in accordance with the legislation of Georgia, which, for the purposes of this Policy, acts as a data controller (the person responsible for processing).
1.3. The Company's address is: 1a E. Takaishvili Street, Tbilisi, Georgia.
1.4. The Company's website is: https://pmushop.ge/ka
1.5. The Company's email address is: info@pmushop.ge
1.6. The Company's contact number is: +995 591 74 47 47
1.7. Contact email address regarding personal data: contact@pmushop.ge
2. The Company's Website and Mobile Application
2.1. This Policy applies to the processing of personal data on the Company's website and mobile application (hereinafter collectively referred to as the "Platform").
3. Scope of the Policy
3.1. This Policy regulates the rules of personal data processing by the Company towards any person (hereinafter referred to as the "Data Subject" or "You") who uses the Company's Platform to receive the Company's services.
3.2. The Policy applies to all persons utilizing the Platform, regardless of whether they are registered users or not.
3.3. This Policy does not apply to third-party websites, services, and applications to which a user may be redirected via links placed on our Platform.
4. Purpose of the Personal Data Processing Policy
4.1. In the process of personal data processing, the Company is guided by the Law of Georgia "On Personal Data Protection", the General Data Protection Regulation (GDPR) of the European Union, and other relevant normative acts.
4.2. The purpose of this Policy is to ensure that the data subject is well-informed regarding the personal data processing activities carried out by the Company. Specifically, this document serves the following purposes:

4.2.1. To provide you with full and comprehensive information regarding the methods, scope, and purposes for which the Company collects, stores, and processes your personal data;
4.2.2. To explain the primary legal grounds and principles upon which the Company relies during the data processing;
4.2.3. To clarify your rights granted by the applicable legislation of Georgia and the General Data Protection Regulation (GDPR) of the European Union, and to introduce the mechanisms for the practical exercise of these rights;
4.2.4. To describe the categories of personal data that must be processed to provide you with services, communicate with you, or improve the performance of the Platform;
4.2.5. To confirm that the processing of personal data is carried out in strict compliance with the Law of Georgia "On Personal Data Protection" and best international practices (including GDPR principles).

5. Personal Data Protection Obligation
5.1. The Company acknowledges the importance of personal data protection and confirms that ensuring the security of your personal data is our priority. To this end, the Company is obliged to:

5.1.1. Implement and continuously update organizational and technical security measures to protect your personal data from unauthorized access, accidental loss, destruction, or any other unlawful forms of processing;
5.1.2. Refrain from processing your data in violation of the law and use it solely for the specific, predefined, legitimate purposes for which it was collected;
5.1.3. Ensure the complete realization of your rights;
5.1.4. Upon your request and within the statutory timeframes, provide you with detailed information regarding the grounds, purposes, and retention periods of your data processing;
5.1.5. To observe the principle of data minimization, which means that we collect and process only the data that is necessary to provide services qualitatively.   

6. Your Rights and Legal Protection Guarantees
6.1. The Company ensures the processing of your personal data in full compliance with the principles and requirements of the Law of Georgia "On Personal Data Protection" and the General Data Protection Regulation (GDPR).
6.2. You have the right to contact us at any time and obtain information regarding the processing of your data. Specifically, you have the right to request:

6.2.1. Information on whether your data is being processed, and to directly access this data;
6.2.2. Information regarding the purposes of processing, legal grounds, and the sources of data collection;
6.2.3. Information regarding the specific retention period of the data or the criteria used to determine such period;
6.2.4. Information regarding the persons (recipients) to whom your data has been or may be disclosed, including information on the grounds and purposes of such disclosure;
6.2.5. Information regarding the existence of automated decision-making, including "profiling", its underlying logic, and its anticipated consequences for you;
6.2.6. Rectification of inaccurate data, updates, or deletion of data, including the "right to erasure" ("right to be forgotten"), the processing of which is no longer necessary for lawful purposes;
6.2.7. Temporary restriction/suspension of data processing in cases provided by law.

6.3. The Company is obliged to ensure that the provided information is clear and accessible. The requested information will be provided within the timeframe established by legislation (no later than 10 working days, unless otherwise specified by law).
6.4. You have the right to request the update, addition, blocking, deletion, or destruction of your personal data if it is incomplete, inaccurate, outdated, or if its processing was carried out in violation of the legislation.
6.5. You have the right to withdraw your consent to data processing at any time.
6.6. You have the right to request the termination of data processing for direct marketing purposes. The Company is obliged to cease data processing within 7 working days from receiving such a request.
6.7. Please note that your request for data deletion may not be fulfilled immediately if the Company is under a legal obligation to retain the information (for example, arising from tax, archival, or consumer protection legislation).
6.8. You have the right to object to a decision based solely on automated processing (including "profiling") which produces legal or similarly significant effects concerning you.
6.9. If you believe that your rights have been violated, you may appeal to the State Audit Office (https://www.sao.ge/ka/) or the court. If you reside within the European Union, you have the right to lodge a complaint with the relevant supervisory authority in the EU member state of your habitual residence.
6.10. To exercise your rights or in case of additional questions, please contact us at the electronic address: info@pmushop.ge 

7. Personal Data Handled by the Company About You
7.1. The Company processes your personal data on the following legal bases: your consent, performance of contractual obligations, our legitimate interests, and statutory obligations.
7.2. We collect and process the following types of information:

7.2.1. Contact and identification information. This is data that allows us to identify and contact you. This includes: the name, surname, personal number, phone number, e-mail, and actual address specified during registration or placement of an announcement;
7.2.2. Contractual Information. This is detailed information regarding the legal relationship between you and the Company. This includes data about the purchased product, payment method, date, and status of the transaction; 
7.2.3. Location Information.  Such information is data about your physical address (city, street, apartment/house number, postal code), which is necessary for the delivery of the purchased item;
7.2.4. Behavioral Information. This is Information about how you interact with our Platform. This includes: search history, filter settings, products added to "favorites", navigation time, and other actions that help us personalize the service;
7.2.5. Technological Information. This is data about the devices and software you use when accessing the Platform: operating system, browser type, screen resolution, and unique device identifiers;
7.2.6. Communication Information. This is Information that the Company collects during communication with you. This includes: electronic correspondence, telephone recordings (for quality control purposes), messages sent via social networks, and feedback provided in any other form;
7.2.7. Financial Information. This is data related to transactions conducted on the platform; information regarding payments, balance top-ups, and outstanding debts; bank account numbers, and the type and number of advertisements/orders for which the purchase price has been paid;
7.2.8. Technological and Behavioral Data: IP address, device settings, Cookies, website navigation history, and location data;
7.2.9. Communication Data: Correspondence with the support team, complaints, and feedback.

7.3. Purposes of Data Use:

7.3.1. Operation of the Platform and establishing communication with users; order processing, receiving product payments, and ensuring the safe and timely delivery of items to the address specified by you;
7.3.2. Service improvement, adaptation of the Platform to user needs, and statistical analysis;
7.3.3. Marketing, providing news, special offers, and information about partner companies' services and courses (subject to your consent);
7.3.4. Security and protection, fraud prevention, ensuring the technical integrity of the Platform, and responding to complaints.
7.4. Our legitimate interest implies the effective management of the Platform, service development, maintaining data accuracy, and defending the legal interests of the Company, provided it does not infringe upon the fundamental rights and freedoms of the user.

8. Sources of Data Collection
8.1. The Company obtains personal data directly from you as well as during your usage of our Platform.
8.2. We collect information provided by you when you:

8.2.1. Register on the Platform, create a personal profile, and/or become our customer;
8.2.2. Send us letters, documentation, or messages (in both physical and electronic forms, including via social networks); or contact us via mobile number;
8.2.3. Express a complaint or request additional information about our products and services;
8.2.4. Apply for employment, sharing your CV and other professional data with us.

8.3. Certain information is collected automatically during your use of our Platform:

8.3.1. Data generated during the service/order placement and delivery process;
8.3.2. Technological and behavioral information described in this Policy;
8.3.3. Information about your activity when you use our online services.

8.4. Data we receive from third parties:

8.4.1. From payment service providers and financial institutions: to confirm payments made by you;
8.4.2. From public sources and organizations: to verify information necessary for the full provision of services and fraud prevention.

9. Data Security Protection
9.1. The Company ensures the protection of personal data from unauthorized access, disclosure, alteration, or destruction by adopting appropriate organizational and technical measures.
9.2. Access to your personal account is protected by a username and password combination. Passwords are stored in an encrypted format and are inaccessible even to the Company's employees.
9.3. The Company urges you to maintain confidentiality and not to disclose your access data to third parties. You are responsible for any activity carried out through your account if it stems from your negligence regarding security measures.
9.4. Your personal information is stored on secure servers with strictly controlled access.
9.5. Access to data is restricted to personnel and contractors who require it to perform their official duties and who are bound by a legal obligation of confidentiality.
9.6. Although we utilize reasonable and modern security standards available on the market, absolute security during data transmission over the Internet is technically impossible to guarantee.
9.7. The Company makes every effort to establish connections only with partners who adhere to similarly high standards of data protection.
9.8. The Company shall not be held liable for the illegal actions of third parties who may gain unauthorized access to data due to vulnerabilities in your device or network. We advise you to use only secure internet connections when utilizing the services.
10. Use of "Cookies"
10.1. For the effective operation of our website, tailoring it to user interests, and improving functionality, the Platform uses "Cookies".
10.2. "Cookies" are small text files that are downloaded and stored on your computer, mobile phone, or other digital device when you visit a website.
10.3. "Cookies" allow the website to "remember" your actions and preferences (such as language, font size, authorization, and other settings) so that you do not have to re-enter them upon each subsequent visit.
10.4. When you start using the Platform, through a special notification banner, you have the opportunity to consent to the use of Cookies, choosing either strictly necessary ones or optional ones as well.
10.5. You can restrict, block, or delete Cookies at any time through your internet browser settings (Chrome, Firefox, Safari, etc.).
10.6. Please note that some Cookie files are critically important for the proper functioning of the Platform. If they are blocked or deleted, certain services and features of the Platform may malfunction or specific capabilities of the website may become fully or partially inaccessible to you.
11. Automated Decision-Making and "Profiling"
11.1. For the purpose of improving service quality, preparing offers tailored to your interests, and preventing fraud, we may use automated data processing, including "profiling".
11.2. The legal basis for automated processing is your explicit consent, the performance of contractual obligations between us, or a direct obligation imposed by legislation.
11.3. You have the right not to be subject to a decision based solely on automated processing (including profiling) which produces legal or similarly significant effects concerning you, except when:

11.3.1. The decision is necessary for entering into, or the performance of, a contract;
11.3.2. There is your explicitly expressed (written or electronic) consent;
11.3.3. It is directly provided for by applicable legislation.

11.4. In cases where a decision is made automatically, you have the right to request human intervention on our part, express your point of view, and contest the decision.

12. Data Sharing with Third Parties
12.1. Your personal data is shared with third parties only to the extent necessary to achieve the intended purpose.
12.2. We reserve the right to transfer your personal information to state authorities (law enforcement, tax, or other regulatory bodies) if it is necessary for:

12.2.1. Crime prevention, investigation, or prosecution;
12.2.2. Fraud prevention or the investigation of fraud incidents;
12.2.3. Compliance with a court decision or legal requirement;

12.2.4. Protection of our rights, property, or the safety of users.

12.3. Your data may be shared with partner companies (e.g., courier services, IT support, payment systems) that assist us in delivering the product. They are not authorized to use your data for their own independent purposes.
12.4. You have the right to object to data sharing; however, in such a case, the performance of certain contractual obligations undertaken by us towards you may be restricted or become impossible.
13. Special Measures Based on GDPR
13.1. If your personal data is shared outside the European Union and the European Economic Area, the Company will take all steps to ensure that data is processed securely and in accordance with this Policy, and the Company will carry out international data transfers in compliance with legislation. This may be implemented in various ways, for example:

13.1.1. The country with which the information is shared enjoys an adequate level of protection pursuant to a decision of the European Commission;
13.1.2. In the absence of an adequacy decision by the European Commission, we may transfer personal data to a third country or an international organization only if we provide appropriate safeguards in accordance with the GDPR. Furthermore, you may obtain information regarding such safeguards through the communication channels specified in this Policy.

13.2. In the absence of an adequacy decision by the European Commission or appropriate safeguards, including binding corporate rules, a transfer of personal data to a third country or an international organization shall take place only on one of the following conditions:

13.2.1. The data subject has explicitly consented to the proposed transfer, after having been informed of the potential risks of such transfers due to the absence of an adequacy decision and appropriate safeguards;
13.2.2. The transfer is necessary for the performance of a contract between the data subject and the controller or the implementation of pre-contractual measures taken at the data subject's request;
13.2.3. The transfer is necessary for the conclusion or performance of a contract concluded in the interest of the data subject between the controller and another natural or legal person;
13.2.4. The transfer is necessary for important reasons of public interest;
13.2.5. The transfer is necessary for the establishment, exercise, or defense of legal claims;
13.2.6. The transfer is necessary in order to protect the vital interests of the data subject or of other persons, where the data subject is physically or legally incapable of giving consent.

13.3. If personal data is transferred to countries located outside the European Economic Area (EEA), we ensure appropriate data protection safeguards based on Standard Contractual Clauses approved by the European Commission.
13.4. In cases provided for by the Law of Georgia, we will obtain permission from the relevant state authority for data transfer.
14. Data Portability
14.1. You have the right to data portability of your personal data, which implies the possibility to request the receipt of the data provided by you in a structured, commonly used, and machine-readable format, or its direct transmission to another data controller, if technically feasible.
15. Fraud Detection
15.1. Your personal data helps us determine whether your account/profile may be used for fraud or money laundering purposes. If a fraud risk is detected by us, we reserve the right, for your own security, to temporarily suspend transactions/orders or refuse to provide the relevant service.
16. Age of the Data Subject
16.1. Minors (persons under the age of 18) are prohibited from using the Company's Platform. We do not knowingly store or collect information from persons under 18. Protecting the personal information of minors is highly important to us. Accordingly, if we learn that a user is under the age of 18, we will take appropriate measures to delete this user's personal information from our database.
17. Retention Period of Personal Data
17.1. We retain your personal data throughout the entire period of your service. Additionally, after the termination of services, for a period not exceeding 3 years, for the following reasons:

17.1.1. To respond to questions and complaints;
17.1.2. To demonstrate fair treatment towards you;
17.1.3. For the purpose of carrying out legal proceedings within the scope of regulations applicable to our activities;
17.1.4. To fulfill obligations determined by legislation.

17.2. Your data may be stored for a period longer than 3 years if we are deprived of the possibility to delete it due to relevant legal grounds.
18. How to Withdraw Your Consent to Personal Data Processing
18.1. You can withdraw your consent at any time, provided it does not contradict legal requirements.
18.2. To withdraw your consent, if you make such a decision, please contact us at the following email address: info@pmushop.ge.
18.3. The right to withdraw is available (or relevant) when the basis of processing is your consent.
18.4. In case of consent withdrawal, we may not be able to provide you with complete services.
19. Policy Amendments
19.1. The Personal Data Processing Policy document may be amended in accordance with legislative changes and/or changes in our personal data processing rules. The Policy may also be amended by a decision of the Company. Any changes made to the Policy will be published in advance on the Company's Platform.
20. How to Contact Us
20.1. If you request the exercise of your rights (rectification, update, addition, blocking, deletion, destruction of data, etc.), you can contact us via email: info@pmushop.ge ;telephone: (+995) 591 74 47 47; address: 1a E. Takaishvili Street, Tbilisi, Georgia.

By electronically checking / acknowledging this Personal Data Protection Policy, you confirm that you have read this Policy, agree to its terms, and have no claims. Furthermore, you confirm that the information provided by you to the Company constitutes accurate and truthful data. The provision of information was made of your own free will and you possess all powers provided by legislation for this purpose.